Month in Breaches: May 2020

Cybersecurity News / Month in Breaches

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends. In this issue, breaches and trojans continue to plague the global threat landscape. Part of protecting our clients is also promoting good security practices and raising awareness of current security trends, boosting your overall understanding of current breaches.

Toll Group Compromised Data Dumped on the Dark Web

Toll Group was infected by ransomware earlier this February and that attack proved to be costly for the company to get back on its feet. Now, another strain of ransomware named ‘Nefilim’ has hit Toll group this month. This has led the company to shut down its IT systems and servers to contain the infection. It was also discovered that the perpetrators who were responsible for inflicting the ransomware have also leaked about 200GB of corporate data on the Dark Web. Hackers had exfiltrated the data from Toll’s corporate server which contained employee information and details of commercial agreements with some of its current and former enterprise customers.

The ransomware that hit Toll Group is named as Nefilim which targets open Remote Desktop Servers and Protocol exposed to the internet. The hackers gain access through vulnerable RDP servers and later spread their attack once they gain a foothold on the network. Nefilim is also a relatively new strain of malware. To mitigate such happenings, it is advised that the employees are educated about phishing emails and the risk it carries. Having a business continuity plan once any cyber breach occurs is also essential for the smooth functioning and transition of the organisation during a breach. Also, keeping all systems up to date by applying software patches greatly reduces the risk of ransomware.

BlueScope Steel Hit by Ransomware

BlueScope Steel which is one of the oldest steel manufacturers in Australia was hit by ransomware this month. The ransomware hit the servers situated in the United States. The strain of ransomware that hit the company is still not named by officials of BlueScope. However, it is believed that one or more employees could have opened malicious emails which in turn could have compromised the network. The officials confirmed that this resulted in halt of the digital production operations of the company.

Ransomware infections are causing havoc to business around the globe and it is considered as one of the serious cybersecurity threats. A business should always be ready to combat this threat. It is identified that majority of ransomware infections has their source from an employee clicking a malicious email. Thus, it is highly essential for an organisation to have its email gateway setup and updated to block any suspicious emails before it reaches the employee. Employ network segmenting across the organisation. The hacker when compromises a machine would always want to move laterally across the network to compromise more machines and finally reach critical devices like servers. CTRL Group also urge organisations to have an effective backup strategy as having secure and up-to-date backups of all critical business information is the best form of defence against ransom attacks.

Crafty Phishing Attack Bypass MFA on O365

A new phishing campaign has the ability to bypass multi-factor authentication (MFA) of Microsoft’s Office 365 to gain access to the victim’s data stored on the cloud. Researchers at Cofense Phishing Defense Centre has found that attackers leverage the OAuth2 framework and OpenID Connect (OIDC) protocol and makes use of a maliciously crafted SharePoint link to trick users into granting permissions to a rogue application that can bypass MFA. If successful, the most basic attack can steal all the victims’ email and access cloud-hosted documents containing confidential information. This attack can be further enhanced by leveraging this confidential information for a bitcoin ransom. The most concerning part of the attack is that the attacker can gain refresh tokens that require them to authenticate just once.

Phishing attacks are at an all-time high. Researchers have found that URL used for phishing can reveal the bad intentions of the attackers but this is not easily noticed by people other than strong technical experience, hence it is vital to educate the employees about such scenarios and make them aware of the side effects of clicking a malicious link and entering their credentials or other sensitive information. Up to date email filters and properly configured firewalls can also be helpful in some cases and can drop the suspicious emails before even reaching the user’s inbox.


Related Articles

Cyber Compliance / Cyber Advisory, Cyber Compliance
Cyber Regulations and Australian Compliance Overview 2022
Read more
data breaches, cyber incident response
Data Breach / Incident Response
How to Minimise Financial Damages from a Cyber Incident?
Read more
Cybersecurity Resilience, Cyber Threat Intelligence
Cybersecurity / Cyber Advisory
Cybersecurity Threat Intelligence: What’s all the hype about?
Read more